feat: native OAuth login page, architecture docs, docs site update

- Add GET/POST /login to hermes for first-party cookie during OAuth popup
  (fixes browser CHIPS cookie partitioning that broke claude.ai connection)
- Add role column to all findCustomer* SQL queries in src/auth.ts
- Add claude.ai tab to docs/getting-started.html with OAuth flow steps
- Add ARCHITECTURE.md with system diagrams, data flow, and key invariants
- Rewrite README.md and DEPLOY.md to reflect actual MicroK8s deployment
- Deploy updated docs site (squaremcp-docs sha256 updated)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

product/app/app.js

@@ -207,7 +207,13 @@ loginForm.addEventListener('submit', async (e) => {
     return;
   }
   currentUser = data;
-  isAdmin = data.plan === 'enterprise'; // simplistic admin check
+  isAdmin = data.role === 'admin';
+  // If we were sent here from an OAuth flow, redirect back
+  const returnTo = new URLSearchParams(window.location.search).get('return_to');
+  if (returnTo && returnTo.startsWith('https://hermes.squaremcp.com/')) {
+    window.location.href = returnTo;
+    return;
+  }
   showDashboard();
 });
 
@@ -629,12 +635,20 @@ async function checkSession() {
     return;
   }
 
+  // If we were sent here from an OAuth flow, redirect back after confirming session
+  const returnTo = urlParams.get('return_to');
+
   try {
     const data = await apiGet('/api/auth/me');
     if (data.id) {
       currentUser = data;
-      isAdmin = data.plan === 'enterprise';
+      isAdmin = data.role === 'admin';
       if (isAdmin) adminNav.classList.remove('hidden');
+      // Already logged in — bounce back to the OAuth authorize URL if present
+      if (returnTo && returnTo.startsWith('https://hermes.squaremcp.com/')) {
+        window.location.href = returnTo;
+        return;
+      }
       showDashboard();
     } else {
       showLogin();